lzo: Handle integer overflow
get_len can overflow for specially crafted payload. Reported-By: Don A. Baley <donb@securitymouse.com> CC: libav-stable@libav.org
This commit is contained in:
parent
e121ac634b
commit
ccda51b14c
@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt)
|
||||
{
|
||||
register const uint8_t *src = c->in;
|
||||
register uint8_t *dst = c->out;
|
||||
if (cnt < 0) {
|
||||
c->error |= AV_LZO_ERROR;
|
||||
return;
|
||||
}
|
||||
if (cnt > c->in_end - src) {
|
||||
cnt = FFMAX(c->in_end - src, 0);
|
||||
c->error |= AV_LZO_INPUT_DEPLETED;
|
||||
@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt)
|
||||
/**
|
||||
* @brief Copies previously decoded bytes to current position.
|
||||
* @param back how many bytes back we start
|
||||
* @param cnt number of bytes to copy, must be >= 0
|
||||
* @param cnt number of bytes to copy, must be > 0
|
||||
*
|
||||
* cnt > back is valid, this will copy the bytes we just copied,
|
||||
* thus creating a repeating pattern with a period length of back.
|
||||
@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt)
|
||||
static inline void copy_backptr(LZOContext *c, int back, int cnt)
|
||||
{
|
||||
register uint8_t *dst = c->out;
|
||||
if (cnt <= 0) {
|
||||
c->error |= AV_LZO_ERROR;
|
||||
return;
|
||||
}
|
||||
if (dst - c->out_start < back) {
|
||||
c->error |= AV_LZO_INVALID_BACKPTR;
|
||||
return;
|
||||
|
Loading…
x
Reference in New Issue
Block a user